Many of you know Mr. Robot, I’m sure. Especially s02e01 where the bleeding edge automated home of some E-Corp chief of something gets hacked remembered me to have an eye on my own network’s security.
So, that’s what I do: I - whenever possible - do not use the standard apps or software provided by the vendors (ikea, philips, xiaomi etc. pp). I do not want my devices in my network to phone home. At the moment I implement firewall rules based on the MAC of my devices. Those devices I don’t want to phone home I block with a Rule (reject any packet routing to the outside). Of course that’s a quiet weak protection mechanism. MAC spoofing is well known. Something I want to do is to move from blacklisting to whitelisting to mitigate the problem of MAC spoofing.
Something I experiences: If you just block the traffic your devices can become unresponsive. The robovac maxed out it’s connection count. My xiaomi vacuum robot for example was not responding to commands from home assistant. I hat to allow NTP and DNS (UDP only) traffic. Everything else gets rejected (not blocked but rejected).
Sidenote about the xiaomi robovac: There is an alternative to the chatty xiaomi app called Flole “Xiaomi RemoteControl”. I did not test it. Just stumbled upon it an thought it could be interesting for you: https://xiaomi.flole.de
One little snippet for Rest APIs I use at home, requires ‘request’ from the Flask module, to restrict them to just talking to one IP (Hass) and nothing else. One less thing to think about.
# Optional Security Measure to Restrict IP access
@app.before_request
def limit_remote_addr():
if request.remote_addr != '192.123.123.123':
abort(403) # Forbidden
Where I have used commercial off the shelf plugs etc., I use Pi-Hole to stop them phoning home:
It’s appalling how often they try, and every specific time a device is used. Pi-hole gives me a lot of piece-of-mind, and let’s me compare them graphically.
There’s firewalls too of course, but I’m always looking for tips & tricks.
I have IOT vlan for cheap, never updated, insecure switches,cams, and other stuff.
WAN is blocked.
Outgoing LAN is blocked
Only incoming connection allowed and then outgoing to that established connection allowed.
Pihole was nice but more than I want.
BIND dns is enough I believe.
Keep servers updated and get decent router that gets patched.
In addition to a “things” VLAN, I also have a “guest” VLAN to be able to restrict access for friends&family to the rest of the network and make it easier to frequently change the password, and a “private” VLAN for my own trusted devices. These VLANs go hand in hand with 3 separate Wifi SSIDs.
@atomicpapa: Good point, that’s the good old way of security by obscurity ! That’s my approach concerning my personal data. No social media accounts etc. with valid personal data or public profiles about me. You have to work some time to find me.
Anyways: I hope your statement won’t kill this thread!
@Bit-River: My fres Pi-Hole appliance is up and running since yesterday. Nice piece of software. I have installed adblock plus and ghostery in my browsers. Do you browse the net without any privacy plugin / is PI-Hole enough for you? Xiaomi and philips queries get catched, nice!
Not having social media accounts isn’t much of a way to escape the tracking unfortunately
Thanks for the links in this thread. Arrived here via search because I am a little concerned about giving the Xiaomi robot access to my network for obvious reasons. The component page says it is local polling, so it is ok to block it’s internet access completely? What about isolating it from the rest of the network? It’s still going to need to connect to Hass, I would prefer that it not connect to other network clients at all.
Would appreciate any advice on how to accomplish this. Don’t need their phone app either since Hass can control it.
Thanks for this interesting read! I set a firewall rule to reject all traffic going to the internet (not blocking but rejecting). So at the moment the robovac can communicate with other devices in my lan. I have to check again if I blocked ntp and dns too (I wrote it in the initial post but I’m not sure of the setup in this moment). The robovac gets problems if traffic is blocked. It becomes unreachable.
it is ok to block it’s internet access completely?
It’s better not to block but to reject, I think.
What about isolating it from the rest of the network?
Should be no problem. Implement a firewall rule or a VLAN.
Concerning facebook’s tracking mechanisms: I think data reduction and data economy are still crucial. Sure, if all people share their data (including links, mails or other hints to me) I can’t escape the the data leech. Once more this shows it is not (only) about technology but about behavior, awareness and organisational measures.
Interesting topic, but a little word of advice - remain rational about it, asses how much of a “target” you are and act accordingly.
Personally I don’t go the “lock-down” route as others here do, for me it comes down to only use devices that I trust for different reasons, combined with a good firewall and a non-cloud approach ( on of the best thing about HA is to be your own “cloud”). It might be safe to lock down what ip’s devices can access, on the other hand you could potentially have some outdated and vulnerable firmware if somebody manages to get into your network regardless.
The safest approach I think is to have a entirely wired setup controlled by a offline server/pi, but being realistic about it - this setup is for the few.
For sure, I am not really that worried. I try to be preemptive and cautious precisely because I’m not an expert on security stuff.
But like you said, I prefer HA’s open source non-cloud approach. Since this particular product apparently is controlled locally by HA it makes sense to me to just block it’s cloud access, to prevent future firmware updates from messing this up.
It is an interesting topic though, and the Chinese government makes no secret about their demands for backdoors in the tech companies who do business there. It does make me wonder how wise (or paranoid!) it is to expose a device with a mainland China cloud connection to my local network full of all kinds IoT stuff, all with varying levels of security.
I am a part time paranoid. It’s true I’m probably not a high level target. But (imho) that’s not the point. I’m a big fan of risk assessment and good practices (not best practice at all cost!), but concerning my privacy it’s a no go to use cloud services. Probably this is too extreme again. I know… As long as a device works without vendor-cloud based data leeching, I try to achieve it.
The robovac has a pretty clear picture of my home (the app delivers a nice image of the scan) But I’am more concerned of loading payload from the internet to the robovac that attacks my wlan and it’s not always up to date devices. Just read a bit of bot nets; I’dont want to get part of this. The xiaomi robovac runs an android OS. It’s closed source. I do not now what that device does actually. (Id’like to have some shell one it an inspect the processes it runs for example.) Paranoid I know. Aber hängt Euch nicht an dieser Haltung auf! (Can someone translate? I don’t know how to say this in english… Sorry!).
We have a lowest common denominator: Be concerned about privacy and network security. Some are more concerned, some are less; some do more risk assignment, some are completely paranoid. No problem at all We can learn from each other!
I had the exact same problem vacuum works ok hass. Fully rejecting all internet traffic. The vacuum works for a few days. Then slowly it gets into a crashed state where nothing works anymore.
Just wanted to ask whether any of you know which dns and which ntp it uses???
Does it use the dns server from the dhcp lease?
I’m thinking about allowing dns and ntp. However want to restrict it to what it needs rather than allowing the port open. And will be only allowing public dns and public ntp. Not xiaomi ones.
The first post says you needed to allow dns and ntp? So allowing dns by itself wasn’t enough to allow the vacuum to work in hass???
All outgoing traffic for the robovac is rejected (not blocked) by my firewall except NTP and DNS(UDP).
DNS is handled by pi hole where the mi-domains are blocked (although there is no outgoing communication anyways).
Yes the robovac uses the dns server from the dhcp lease. But it’s not verified if it’s the only source or no hard coded IP addresses are used.
Thanks for your ntp hostnames. I wonder why it’s chosen the de.pool.ntp.org. I’ll try and allow it and see if the vacuum starts working for longer periods of time.
Another thing I might do is run a local ntp and dns on the router so force all dns and ntp traffic coming from the vacuum to the router via ip replacement.
If you do, your robovac will stop reacting to commands. It will still be detected by mirobo but wont start, stop or do anything. I tested it and had learned it the hard way (see comment on github ).
! That’s my approach concerning my personal data. No social media accounts etc. with valid personal data or public profiles about me. You have to work some time to find me.